security: Introduce SetSocketLabel

This API labels all sockets created until ClearSocketLabel is called in a way that a vm can access them (i.e., they are labeled with svirt_t based label in SELinux).
2025-02-25 18:55:26 -06:00 · 2011-08-26 09:39:32 +02:00 · 2011-08-26 09:39:32 +02:00 · 520d91f8bd
commit 520d91f8bd
parent 4c85d96f27
9 changed files with 95 additions and 0 deletions
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel;
 virSecurityManagerSetProcessFDLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
 virSecurityManagerSetSocketLabel;
 virSecurityManagerVerify;
 # sexpr.h
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@ -584,6 +584,13 @@ AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
    return 0;
 }
 static int
 AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                               virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
    return 0;
 }
 static int
 AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
@ -836,6 +843,7 @@ virSecurityDriver virAppArmorSecurityDriver = {
    AppArmorRestoreSecurityImageLabel,
    AppArmorSetSecurityDaemonSocketLabel,
    AppArmorSetSecuritySocketLabel,
    AppArmorClearSecuritySocketLabel,
    AppArmorGenSecurityLabel,
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -674,6 +674,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 }
 static int
 virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                             virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
    return 0;
 }
 static int
 virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = {
    virSecurityDACRestoreSecurityImageLabel,
    virSecurityDACSetDaemonSocketLabel,
    virSecurityDACSetSocketLabel,
    virSecurityDACClearSocketLabel,
    virSecurityDACGenLabel,
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
                                                   virDomainDiskDefPtr disk);
 typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
                                                     virDomainObjPtr vm);
 typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
                                                virDomainObjPtr vm);
 typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
                                                virDomainObjPtr vm);
 typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
@ -102,6 +104,7 @@ struct _virSecurityDriver {
    virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
    virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
    virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
    virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
    virSecurityDomainGenLabel domainGenSecurityLabel;
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
    return -1;
 }
 int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
                                     virDomainObjPtr vm)
 {
    if (mgr->drv->domainSetSecuritySocketLabel)
        return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
    virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
    return -1;
 }
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm)
 {
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
                                        virDomainDiskDefPtr disk);
 int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
                                           virDomainObjPtr vm);
 int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
                                     virDomainObjPtr vm);
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm);
 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@ -59,6 +59,12 @@ static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT
    return 0;
 }
 static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                              virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
    return 0;
 }
 static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                                virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = {
    virSecurityDomainRestoreImageLabelNop,
    virSecurityDomainSetDaemonSocketLabelNop,
    virSecurityDomainSetSocketLabelNop,
    virSecurityDomainClearSocketLabelNop,
    virSecurityDomainGenLabelNop,
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -1136,6 +1136,43 @@ done:
    return rc;
 }
 static int
 SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
                              virDomainObjPtr vm)
 {
    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
    int rc = -1;
    if (secdef->label == NULL)
        return 0;
    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                               _("security label driver mismatch: "
                                 "'%s' model configured for domain, but "
                                 "hypervisor driver is '%s'."),
                               secdef->model, virSecurityManagerGetModel(mgr));
        goto done;
    }
    VIR_DEBUG("Setting VM %s socket context %s",
              vm->def->name, secdef->label);
    if (setsockcreatecon(secdef->label) == -1) {
        virReportSystemError(errno,
                             _("unable to set socket security context '%s'"),
                             secdef->label);
        goto done;
    }
    rc = 0;
 done:
    if (security_getenforce() != 1)
        rc = 0;
    return rc;
 }
 static int
 SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
                                virDomainObjPtr vm)
@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = {
    SELinuxRestoreSecurityImageLabel,
    SELinuxSetSecurityDaemonSocketLabel,
    SELinuxSetSecuritySocketLabel,
    SELinuxClearSecuritySocketLabel,
    SELinuxGenSecurityLabel,
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@ -354,6 +354,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
 }
 static int
 virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
                               virDomainObjPtr vm)
 {
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;
    if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
        rc = -1;
    if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
        rc = -1;
    return rc;
 }
 static int
 virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
                                 virDomainObjPtr vm)
@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = {
    virSecurityStackRestoreSecurityImageLabel,
    virSecurityStackSetDaemonSocketLabel,
    virSecurityStackSetSocketLabel,
    virSecurityStackClearSocketLabel,
    virSecurityStackGenLabel,